Hi, On Wed, 31 Oct 2018 at 17:53, Arne Schwabe <a...@rfc2549.org> wrote: > Before OpenSSL 1.1.1 there could be no mismatch between > compiled and actual OpenSSL version. With OpenSSL 1.1.1 we need > runtime detection to detect the actual best TLS version supported. > > Allowing this runtime detection also allows removing some of the > TLS 1.3/OpenSSL 1.1.1 #ifdefs > > Without this patch tls-min-version 1.3 or-highest will actually > downgrade to TLS 1.3 in the "compiled with 1.1.0 and linked against > 1.1.1" scenario.
"Downgrade to TLS 1.2", I guess? But more fundamental: do want to support runtime-upgrading the TLS library? Are we sure that this is the only place where this will create unexpected behaviour? Does it even make sense to upgrade a dependency to a version that contains all sorts of API/ABI changes and then expect that you do not have to recompile? Honest questions; I don't understand why one would want or do this. -Steffan _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel